On Fri, Dec 12, 2003 at 09:10:50PM -0800, Sharad Ahlawat wrote: > > Issue #2: This is a widely known common aspect of the Pre Shared Keys (PSK) > authentication mechanism since 1999. With PSK, there is no way for a client > to identify what is on the other side of the connection except that the other > side has the same PSK. Sharad's (Cisco's?) highly disingenuous claim is completely false. In fact, the security vulnerability in question is caused by Cisco's decision to deliberately *misuse* the preshared key authentication method of IKE, in combination with the very dangerous XAUTH extension to IKE which was not accepted by the IETF IPsec wworking group. As is specified by the relevant standards and as was pointed out in the working group while XAUTH was under discussion, the entire security of the PSK authentication method relies upon the fact that these keys are, in fact, a shared secret between the two IPsec peers -- *not* a "VPN server" and an arbitrary number of "clients". In combination with the rejected XAUTH extension, the misuse of PSK that Cisco advocates and supports is particularly dangerous because it leads to the disclosure of persistent authentication information such as user passwords. Indeed, with preshared key authentication, there is no way for a client to identify what is on the other side of the connection except that the other side has the same preshared key. That much is intrinsic to the design of the protocol *and is why only two parties must ever have knowledge of any single preshared key*. Yet Cisco deliberately chooses to *recommend* to its customers an IKE configuration in which many parties use the same preshared key, and, even worse, use that key to "protect" the dangerous and nonstandard XAUTH exchange in which the client will give password or other legacy authentication information to the other end with no guarantee of what, exactly, that other end might be. In other words, Sharad confirms that Cisco knows just how dangerous this is, while glossing over the fact that Cisco sales engineers and other field personnel continue to *recommend* this configuration to customers. Indeed, if this configuration is so widely understood to be dangerous, why does the Cisco client software even support it, even going so far as to gloss over the fact that a preshared key is being used by more than two parties by calling it a "group password"? Cisco customers: take note: Sharad -- Cisco's de-facto representative on Bugtraq -- has just told you not to use the configuration in question because it's unsafe, and says that Cisco's known that for a long time. I suggest that you ask your sales engineers why they recommended it to you. Thor
